Upcoming Events

Executive conference

Cloud Connect March 16-18

Comprehensive thought leadership for executives, IT professionals and developers. Topics include: the ROI, cost and economics of on-demand computing; Migration strategies to move from on-premise to cloud-based IT; Vertical cloud specialization, tailoring features and architectures to specific applications, industries, and customer ecosystems

More Events »

Vendor Newsfeed

More Vendor Newsfeed »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up
Security
S N E A K   P R E V I E W  
Contivity Continues To Shine

  May 29, 2003
  By Mike Fratto


TOC Issue TOC
Printer Print full article
Printer Download as PDF
E-Mail E-Mail this URL
Discuss Discuss this article
flame author Flame the author

We've been impressed with Nortel's Contivity platform ever since we began testing version 1.0 in 1998. I examined the Contivity 5000 Secure IP Services Gateway and can report that it lived up to its predecessors and our expectations.

Most of the improvements are in the software, but the hardware updates could hardly be called incremental. I tested the new hardware and software in the Syracuse University Real-World Labs® and quite frankly, other VPN products have some catching up to do.

Nortel packs the 5000 with dual 2.2-GHz processors; 512 MB of RAM expandable to 1.5 GB; two 64-bit, 133-MHz PCI slots; the new cryptographic Contivity Security Accelerator, which supports AES (Advanced Encryption Standard); six WAN/LAN ports including WAN cards for ISDN BRI; V.90 and GigE SX fiber; and a 10/100/1000 copper interface on the motherboard--all in a sultry 3U rack-mount chassis. The on-board serial port, typically used for out-of-band management, can also be used for dial-backup network connections.

Version 4.8 of the software brings more redundancy to the system via a backup interface. It also adds NAT (Network Address Translation) for protected client IP addresses. The software includes an additional integration feature: Circuitless IP (CLIP). Used primarily for load balancing, CLIP assigns a single IP to one or more Contivity interfaces.

Nortel has increased client protection in this version with Firewall User Authentication (FWUA), which forces users on the protected side of a Contivity device to authenticate prior to accessing the VPN. Additional client protection comes from Tunnel Guard, which dynamically ensures that required applications, such as Web virus scanners or firewalls, are running prior to admission to the VPN.



Contivity 5000

click to enlarge
Redundant Redundancy

Since version 4.0 of the software, the Contivity has supported network failover using VRRP (Virtual Routing Redundancy Protocol) and OSPF. Although these protocols are useful, not all environments need the VPN to participate in OSPF, and VRRP is really for interface failover. In most situations, BIS (Backup Interface Services), which is included in the software I tested, can fail over network paths and VPNs regardless of network installation.

BIS should detect failed tunnels via route advertisements, pings and interface status (see "Backup Interface Services" diagram). You can define any IP address ping against the next hop router or any device in the path. I tested this by pinging a peer Contivity 600: My primary path went out the 10.1.1.1 interface. I configured a downstate indicated as three pings with a five-second time-out between each ping attempt. I then disconnected the interface cable between the Contivity 600 and the switch. After the allotted 15 seconds, the Contivity 5000 initiated a new IPsec session to the alternate Contivity 600 interface. Once I reconnected the cable between the switch and the Contivity 600, the Contivity 5000 switched back to the primary interface. Of course, if your primary network path is going up and down, the BIS will be flapping back and forth as well. To minimize the flapping, you will need to adjust the timing parameters to smooth things out.



Backup Interface services

click to enlarge
Extending Protection

Firewall User Authentication is designed to work with traffic that is passing through the Contivity in the clear or when the Contivity has a LAN-to-LAN VPN established between sites, authenticates users via an SSL-protected Web page at the Contivity firewall. To test this, I configured the Contivity 5000 to require authentication for access. Then I created users in the local database. As a user I pulled up the Web page from the Contivity and authenticated and was allowed into the VPN as expected. Once properly authenticated, all user traffic passes from the client to the Contivity. Users who fail to authenticate will be denied access at the Contivity firewall.

Contivity has always provided centralized client management. TunnelGuard extends protection and configuration and metes it out to the Contivity VPN Client. Through TunnelGuard, the Contivity client checks a Software Requirement Set (SRS), guaranteeing that the required programs or DLLs are loaded and running. To ensure that required files have not been modified or trojaned, TunnelGuard computes a hash of the target file and compares it to the SRS.

Good
• Circuitless IP provides better integration with load balancers
• Backup Interface Services provides more failover and redundancy
• TunnelGuard ensures required software is running on client computers
• Client authentication for non-VPN client-enabled desktops

Bad
• There aren't any

Vendor Info
Contivity 5000 Secure IP Services Gateway, $45,000. Nortel Networks, (800) 4NORTEL. www.nortelnetworks.com
I created SRS profiles for my test laptop by selecting key files from Norton Anti-Virus scanner. I then stopped the virus scanner and found that I couldn't connect to the VPN--TunnelGuard worked as advertised. Although TunnelGuard is not as full-featured as application-control client software, such InfoExpress, Nortel offers an SDK that can be used for tighter integration and subsequently enforce configuration features.

The improvements in Contivity 5000 and version 4.8 software add value to an already robust product. The increased CPU speed and available memory should provide improved performance. Additionally, the enhanced protection features make a good product even better.

Mike Fratto is a senior technology editor based at our Syracuse University Real-World Labs®. Write to him at mfratto@nwc.com.

Post a comment or question on this story.




Best of the Web

Data deduplication: Declawing the clones

Data deduplication is emerging as a critically important new arrow in the storage administrator's quiver to answer hard questions about the increasing problem in storage growth costs.

Quick Read

Compression, Encryption, Deduplication, and Replication: Strange Bedfellows

One of the great ironies of storage technology is the inverse relationship between efficiency and security: Adding performance or reducing storage requirements almost always results in reducing the confidentiality, integrity, or availability of a system.

Quick Read

WAN Optimization Whitelists and Blacklists

Optimization is a fantastic way of saving money and creating really happy customers at the same time, but it doesn't work flawlessly for all applications.

Quick Read

WAN Optimization as a Managed Service: It's Not About the Cost

This insight examines how organizations outsourcing their WAN optimization initiatives to a third-party go about achieving their goals for application performance, reducing operational costs, and streamlining enterprise infrastructure.

Quick Read

  Sponsored Links

Premium Content

Next Generation Data Center, Delivered, November 17th
NWC


Salary

Video

View All Videos

Most Popular

Stories Blogs

More Stories »

Whitepapers

More »

BlogRoll